Last updated: September 7, 2025
“Personal data” (or “personal information”) means any information that identifies, relates to, describes, or could reasonably be linked to an individual—such as name, email, phone number, ID numbers, payment details, health information, and online identifiers.
Local installation. If you install Medform on your clinic’s computers, we do not access personal information in your local instance unless you grant temporary access for support or maintenance.
Cloud access. If you use our online portal, Medform hosts and processes data to provide the Service.
Healthcare role. When we handle Protected Health Information (PHI) for a HIPAA Covered Entity, Medform acts as a Business Associate and will sign a BAA. We use/disclose PHI only to provide and support the Service and as permitted by HIPAA and the BAA.
For the online Service, we may collect device and usage data (pages viewed, features used, searches, date/time, IP address, device/OS, browser) to operate, secure, and improve the Service. For local installations, we typically do not receive usage analytics from your environment, though we may store information about the hardware for licensing/support.
We use cookies to keep you signed in, remember settings, and understand Service use. You can control cookies in your browser; blocking some cookies may limit functionality.
SMS consent. If you enable SMS features, you confirm you have obtained any required consents from recipients. Recipients can opt out by replying “STOP.” Carrier rates may apply.
We do not sell personal information and we do not “share” it for cross-context behavioral advertising.
We use administrative, technical, and physical safeguards designed to protect information from unauthorized access, loss, misuse, or alteration. No method is 100% secure.
Your responsibilities. Clinics must manage internal access controls, secure devices, and safeguard credentials—especially for local installations.
We retain information as needed to provide the Service, comply with law, resolve disputes, and maintain business records. Clinics control most retention of content inside their workspace (e.g., records, messages, documents). Upon termination, we follow contractual data return and deletion commitments.
Depending on your state, you may have rights to access, delete, correct, or export your personal information, and to opt out of targeted advertising, certain profiling, or the sale/share of personal information (e.g., California CCPA/CPRA, Colorado CPA, Texas TDPSA). To exercise rights for information Medform controls (website/account data), contact us. For patient records your clinic controls, contact your clinic.
If we deny a request, you may have the right to appeal; instructions will be provided where required by law.
Our marketing site and admin tools are not directed to children under 13, and we do not knowingly collect personal information from them without verifiable parental consent. Clinics may manage minors’ patient records in accordance with their legal obligations (e.g., HIPAA).
We primarily process information in the United States. If we transfer information across borders (e.g., to service providers), we will do so in accordance with applicable law and with appropriate safeguards.
We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and provide additional notice if changes are material.
Questions or requests about this Policy or our privacy practices?
Email: [email protected]
Last updated: September 7, 2025
Medform Software, Inc. (“Medform,” “we,” “us,” or “our”) respects the privacy of our clinic customers and their authorized users of MEDFORM, our software platform for clinics and practices (the “System”). You can access the System through a local installation at your clinic or through our online portal at online.medform.co.us (together with the System and any related services, the “Service”).
This Privacy Policy explains what we collect, how we use and share it, and the choices you have.
Local installation. If you deploy the System on computers at your clinic, we do not have access to personal information stored in your local instance unless you grant us temporary access (e.g., for support or maintenance).
Cloud access. If you use the online portal, Medform hosts and processes data to provide the Service.
Healthcare role. To the extent Medform handles protected health information (“PHI”) on behalf of a Covered Entity under HIPAA, Medform acts as a Business Associate and will sign a Business Associate Agreement (BAA). As a Business Associate, Medform uses/discloses PHI only to provide and support the Service and as permitted by HIPAA and the BAA. HHS.gov+1
Order form / subscription. Customer details and a primary contact (e.g., name, email, phone; if an individual subscriber, billing identifiers).
Login and account. Authorized users access via credentials that may include email and phone. We may send verification messages for security.
Within the System. Clinics may upload records and documents (including patient information and PHI), visit summaries, images, treatment plans, prescriptions, billing entries, and communications history. Medform uses this information only to provide the Service and support your clinic.
Messaging tools. If you use integrated messaging (e.g., email/SMS/WhatsApp), you may enter recipient details and message content.
Support requests. If you contact us, we collect the information you submit and communications related to your request.
When you use the online Service, we may collect device and usage data such as pages viewed, features used, search queries, date/time, IP address, device type/OS, and browser. We may also use privacy-focused analytics to help us understand feature adoption and reliability. For local installations, we generally do not receive usage analytics from your local environment, though we may store information about the hardware on which the System is installed for licensing/support.
We use cookies and similar technologies to keep you signed in, remember settings, and understand how the Service is used. You can control cookies via your browser; blocking some cookies may limit functionality. (For regulatory context, see the FTC’s COPPA rule for children’s data and recent updates. Federal Trade CommissionFederal Register)
We use the information described above to:
Provide and secure the Service, including authentication, feature access, and fraud/abuse prevention;
Operate clinic workflows: scheduling, records, e-prescriptions, messaging, billing, tasking, treatment-plan tracking, and follow-ups;
Process payments and manage subscriptions;
Support you (training, customer support, technical troubleshooting);
Improve the Service and develop new features (primarily using aggregated or de-identified data wherever feasible);
Customize experiences and settings for your users;
Send administrative or service messages (e.g., verification, security, material updates);
Send marketing communications where permitted (you can opt out at any time).
Text/SMS consent. If you enable SMS features, you confirm you have obtained any required consents from message recipients. Recipients can opt out by replying STOP. Carrier rates may apply.
We do not sell personal information and we do not “share” it for cross-context behavioral advertising. For California consumers, see Your State Privacy Rights below. California DOJLegal Information Institute
We may disclose information:
Service providers (e.g., hosting, storage, messaging, analytics, payment processing) under contract, limited to performing services for us;
At your direction (integrations you enable);
Legal, safety, and enforcement (to comply with law or enforce our terms);
Business transfers (e.g., merger, acquisition, or asset sale; the recipient will honor this Policy);
Aggregated/de-identified insights that do not identify an individual.
We retain information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and maintain business records. Clinics control most retention decisions for content inside their workspace (e.g., records, messages, documents). Upon termination, we follow contractual data return and deletion commitments.
We use administrative, technical, and physical safeguards designed to protect information against unauthorized access, loss, misuse, or alteration. No method of transmission or storage is 100% secure; you use the Service with this understanding.
Customer responsibilities. Clinics are responsible for access controls within their organization, secure device configurations, and safeguarding credentials—especially for local installations.
Marketing opt-out. You can unsubscribe from marketing emails using the link in the message or by contacting us.
Cookie controls. Use your browser settings to block or remove cookies (some features may not work without them).
Messaging features. Configure templates, recipients, and opt-out language within your clinic settings.
Depending on where you live, you may have rights to access, delete, correct, or export your personal information, and to opt out of targeted advertising, certain profiling, or the sale/share of personal information. States with such rights include (for example) California (CCPA/CPRA), Colorado (CPA), Texas (TDPSA), and others. To exercise these rights for information Medform controls (e.g., website or account data), contact us as described below. For patient records that your clinic controls, please contact your clinic directly. California DOJcoag.govTexas Attorney Generaldir.texas.gov
California (CCPA/CPRA). California consumers have the rights noted above—including the right to limit the use and disclosure of sensitive personal information and to direct a business not to sell or share personal information. We provide notice of our practices in this Policy and, where required, at or before collection. California DOJLegal Information Institute
We will verify your request and respond consistent with applicable law. If we deny a request, you may have the right to appeal—instructions will be included in our response (where required by state law). coag.gov
Our marketing site and admin tools are not directed to children under 13, and we do not knowingly collect personal information from them without verifiable parental consent. Clinics may use the Service to manage patient records—including minors’ records—under their own policies and legal obligations (e.g., HIPAA). For general U.S. requirements on children’s privacy online, see the FTC’s COPPA Rule (updated April 22, 2025). Federal Trade CommissionFederal Register
We primarily process information in the United States. If we transfer information across borders (e.g., to service providers), we will do so in accordance with applicable law and with appropriate safeguards.
We may update this Policy from time to time. We will post the updated version with a new “Last updated” date. If changes are material, we will provide additional notice as required.
Questions, requests, or complaints about this Policy or our privacy practices?
Email: [email protected]
Tell us your role and email. We’ll help you set up your account.
